CN1213582C - System and method for intializing simple network management protocol (SNMP) agent - Google Patents

System and method for intializing simple network management protocol (SNMP) agent Download PDF

Info

Publication number
CN1213582C
CN1213582C CNB008135274A CN00813527A CN1213582C CN 1213582 C CN1213582 C CN 1213582C CN B008135274 A CNB008135274 A CN B008135274A CN 00813527 A CN00813527 A CN 00813527A CN 1213582 C CN1213582 C CN 1213582C
Authority
CN
China
Prior art keywords
snmp
network management
simple network
management protocol
octet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB008135274A
Other languages
Chinese (zh)
Other versions
CN1385020A (en
Inventor
威廉·H·约斯特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
InterDigital CE Patent Holdings SAS
Original Assignee
Thomson Licensing SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing SAS filed Critical Thomson Licensing SAS
Publication of CN1385020A publication Critical patent/CN1385020A/en
Application granted granted Critical
Publication of CN1213582C publication Critical patent/CN1213582C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system and method for initializing an SNMP agent in SNMPv3 mode. In one aspect of the invention, a method is provided that allows an operator to securely enter the initial SNMPv3 privacy and authentication keys into an SNMPv3 device and cause the device to enter in SNMPv3 mode. The SNMP manager and SNMP agent both generate an associated random number and public value (steps 100, 101, 200, 201). The SNMP manager passes its public value to the SNMP agent in a configuration file, which causes a proprietary MIB element in the SNMPv3 device to be set with the public value of the SNMP manager (steps 202, 204). The SNMP manager reads the public value of the SNMP agent through an SNMP request using an initial valid user having access to the public value of the SNMP agent (steps 103, 203). The SNMP agent and SNMP manager each independently compute a shared secret using the Diffie-Hellman key exchange protocol (steps 105, 204). The SNMP manager and SNMP agent each independently convert the shared secret into the same readable password (steps 106, 205), convert the readable password into the same secret key (steps 107, 206) and set the initial authentication key and the initial privacy key to the value of the secret key (steps 108, 207).

Description

The system and method for intializing simple network management protocol (SNMP) agent
Technical field
Generally speaking, the application relates to a kind of initialization Simple Network Management Protocol (simple networkmanagement protocol, SNMP) agency's's (Agent) system and method, specifically, first user who relates to a kind of SNMPv3 of being used to network management device produces and differentiates and private key, and safely these keys is imported this equipment so that be the system and method for SNNDv3 pattern with this device initialize.
Background technology
Generally speaking, SNMP is to use and comes the conveniently standard application layer protocol of exchange of management information between networked devices in network.The framework of SNMPv3 is defined as standard security and known access-control protocol security model (the User-Based Security Model based on the user respectively, USM) and based on the access control model of observing (View-Based Access Control Model, VACM).The SNMPv3 standard is a kind of extendible outline formula (bare-bones) agreement, its permission equipment sale person merges some own special-purpose management information bank (management information base, MIB) assembly, and allow on the top layer of standard SNMP framework, to carry out application.
Generally speaking, the SNMP network comprises a plurality of distributed SNMP entities, wherein each distributed SNMP entity comprises one or more SNMP agency (agent) and one or more snmp management devices (manager) (though entity can not only comprise the agency but also comprise manager), and they use snmp message communication.(or NMS (Network Management Station) is in charge of the one or more SNMP in the territory of snmp management device to the snmp management device.SNMP agency is included on each node (or main frame) by the network (for example, computer, server etc.) of snmp management management.Each agency be responsible for to collect and safeguards information about its environment, and will such information offers the running parameter that corresponding snmp management device and the order of response management device change the local node that disposes or managed.Each SNMP agency safeguards that (management information bank, it is to comprise management information promptly about the virtual information warehouse (store) of the traffic (traffic) of the current and historical information of this locality configuration and the equipment (node) managed to a local MIB.More particularly, SNMP acts on behalf of MIB and comprises a set with the managed object of the equipment of receiving management, and therein, relevant being integrated in the MIB module of object defines.
Under the SNMPv3 pattern, SNMP acts on behalf of operative norm USM (based on user's security model), therein, via (for example by the SNMP-USER-BASED-SM-MIB module, at RFC2574, by Blumenthal etc., in April, 1999, " being applicable to the security model based on the user (USM) of the Simple Network Management Protocol third edition " has been described in detail) the MIB assembly management of definition is applicable to the configuration parameter of USM.Known as prior art, for USM, all validated users related with the SNMPv3 agency use unique secret authentication key and unique private key (and standard agreement), to differentiate the payload of I/O message and encrypt/decrypt I/O message.In addition, under the SNMPv3 pattern, the SNMP agency uses based on observing access control model (View-based Access ControlModel, VACM) by this agency (in response to calling that SNMP uses) be used to determine whether will visit particular type (reading and writing) license to the request retrieval or revise the snmp management device of local MIB management data, perhaps Authorization Manager receives this agency's notice (trap (traps)).Via with the SNMP-VIEW-BASED-ACM-MIB module that describes in detail (for example by the back, at RFC2575, by Wijnen etc., in April, 1999, " be applicable to Simple Network Management Protocol based on the access control model of observing (VACM) ") the MIB assembly management of definition is applicable to the configuration parameter of VACM.
Various application and network architecture realize the SNMP framework.For example, snmp protocol has been elected the communication protocol that is used for based on the management of the cable modem system of DOCSIS (the data-interface standard of cable services (Data Over Cable ServiceInterface Specifications)) as.The docsis cable modem configuration has SNMP agency, and its allows manager (operator of docsis cable modem system) remotely to manage and configurating terminal user's cable modem.Yet, present docsis cable modem system framework do not provide with initially differentiate and private key input cable modem so that the standard agreement of the cable modem under the initialization SNMPv3 pattern, supply of equipment must provide execution this initialized specialized protocol.
The SNMPv3 framework recommends for example not use SNMP (promptly must create first user under the situation of not using SNMP, and be imported its mandate and privacy key in the equipment of managing) that usmUserTable is increased (populate) outside frequency band.Because SNMP only utilizes existing subscriber's privacy key that key is provided, so SNMP can not be used for carrying out initialization.Initialized to act on behalf of quantity very little if will carry out, and then can and manually carry out this initialization process via the control desk port.If in cable modem system, it is very big to act on behalf of quantity, then manual method will be difficult to bear and be not easy tolerance (scale) good.Therefore, press for a kind of system and method, it can provide a kind of safety method, be used for maintaining secrecy and the cable modem of authentication key input DOCSIS system so that under the SNMPv3 pattern this modulator-demodulator of initialization.
Summary of the invention
The object of the present invention is to provide a kind of system and method that is used for initialization SNMP agency under the SNMPv3 pattern.
One aspect of the present invention provides a kind of method that is used for initialization Simple Network Management Protocol v3 equipment, wherein simple network management protocol management device in Simple Network Management Protocol v3 equipment and snmp agent utilize the Diffie-Hellman IKE with initial key and initial authentication key input Simple Network Management Protocol v3 equipment, wherein the simple network management protocol management device all utilizes described Diffie-Hellman agreement to produce a relevant random number and public value with snmp agent, wherein the simple network management protocol management device is delivered to snmp agent in configuration file with its public value, wherein the simple network management protocol management device uses and to have the initial validated user that the public value to snmp agent conducts interviews, read the public value of snmp agent by the Simple Network Management Protocol request, and wherein snmp agent and simple network management protocol management device use the Diffie-Hellman IKE to calculate a shared secret, and this method feature is to comprise step: but the secret that will share converts a read password to; But should convert a privacy key to by read password; And the value of initial authentication key and initial privacy key all being arranged to this privacy key.
Another aspect of the present invention, be that configuration file passes to CMTS Diffie-Hellman public value the modulator-demodulator that uses the special configuration file object type, wherein this special configuration file object helps not allowing the SNMPv1/v2c that is merely able to modulation, do not refuse this configuration file because they do not understand the SNMP mib object (configuration file component type 11) of standard, wherein the SNMP mib object of this standard can be used for being provided with the special-purpose MIB assembly in this modulator-demodulator.
Description of drawings
Fig. 1 is used for the system block diagram with the SNMPv3 proxy initialization according to demonstration type embodiment of the present invention; And
Fig. 2 is used for according to the flow chart of an aspect of of the present present invention with the system of SNMPv3 proxy initialization.
Embodiment
Should be appreciated that this aspect can realize with the processor of hardware, software, firmware, special purpose or the various forms of their combination.The present invention preferably realizes with the software that comprises program command, program command wherein is embodied on one or more program storage devices (for example floppy disk, RAM, CD-ROM, ROM, flash memory) clearly, and can carry out comprising on any equipment, machine or the platform of suitable architecture.Be also to be understood that because some system element or method step are preferably realized with software therefore, actual connection may be according to programming mode of the present invention and different.
With reference to figure 1, block diagram illustrations be used for 1 system that is equipped with 10 that establishes that managed according to demonstration type embodiment initialization SNMPv3 of the present invention.More particularly, system 10 comprises the docsis cable modem system, this docsis cable modem system is at CMTS (Cable Modem Terminal System, cable modem termination system) 16 and SNMPv3 cable modem 18 between, by coaxial (all coaxial) or optical fiber/coaxial mixing (hybrid-fiber/coaxial entirely, BFC) cable system 17, and the transparent transmitted in both directions of (receive and send through the such backbone network 14 in for example internet) Internet Protocol (IP) bag is provided.CMTS 16 realizes such as the interface between the rf modulations/transmission of IP communication (IP traffic) and IP bag as prior art, and gives the such function in cable modem 18 assigned ip addresses.Should be appreciated that though only shown a cable modem among the figure for illustrative purposes, system 10 can comprise hundreds of cable modems.
System 10 comprises the NMS (network management station, Network Management Station) 11 that is positioned on the backbone network 14, is used to manage CMTS 16 and docsis cable modulator-demodulator 18.NMS 11 comprises the snmp management device 13 of user interface 12 (for example, GUI (graphical user interface)) and conventional system structure, is used for communicating by letter with the SNMP agency 19 of cable modem 18 via snmp message.System 10 also comprises a remote server equipment 15, and it can be by cable modem 18 visit, for example is used to download the configuration file of the parameter that is used for disposing cable modem 18.For example, according to following explanation, this configuration file comprises and is used for the SNMP that initially differentiates and the special-purpose Diffie-Hellman IKE of privacy key input cable modem 18 is used under the initialization SNMPv3 pattern is acted on behalf of 19 object.Generally speaking, this agreement allows the operator of NMS (manager) 11 to differentiate and privacy key for safely the initial SNMPv3 of cable modem 18 inputs, and uses the Diffie-Hellman cipher key change to allow modulator-demodulator 18 enter the SNMPv3 pattern.Manager 13 provides its public value for modulator-demodulator 18 via configuration file (for example being arranged in server 15).Manager 13 is via SNMPv3, and the default usmUser of use standard reads the public value of modulator-demodulator 18, and usmUser only visits these values (with ' system ' group of standard).Via the DH exchange, manager 13 and cable modem 18 can be decided through consultation a public shared secret, are used to other standards usmUser of visit usmUserTable to add key value, to create and the deletion additional user.Manager 13 can add the sort of table as required.
According to the present invention, cable modem 18 comprises MIB, and MIB comprises special-purpose MIB module and relevant MIB assembly, is used to realize the Diffie-Hellman cipher key change.More particularly, MIB 20 comprises this special-purpose MIB module hereinafter referred to as TCE-DCM105-MIB, it has defined such as tceDCM105KickstartMyPublic and tceDCM105KickstartMgrPublic MIB assembly like this, is used for carrying out the SNMPv3 initialization process.These MIB assemblies provide a kind of mechanism, so that SNMPv3 agency's 19 (in cable modems 18) and snmp management device 13 are carried out the Diffie-Hellman cipher key change, are put in the cable modem 18 with the privacy key with first validated user.During location registration process, the tceDCM105KickstartMgrPublic object is arranged to the Diffie-Heilman public value of manager 13.Exist various mechanism that this public value of manager 13 is transferred to the agency.Best this transmission realizes that via configuration file (for example, in remote server 15) this configuration file is downloaded by cable modem 18 during the cable modem location registration process.The value of tceDCM105KickstartMyPublic MIB assembly comprises agency 19 Diffie-Hellman public value, and agency 19 announces this public value so that visited via SNMP by manager 13 after location registration process.Preferably manager 13 uses and has the securityName that is not with any discriminating, and for example, the initial user of " docsisInit " reads the content of tceDCM105KickstartMyPublic.Flow chart below with reference to Fig. 2 describes in further detail a preferred initialization process.
The flowchart text of Fig. 2 a kind of method according to an aspect of the present invention, that be used for initialization SNMPv3 agency.In Fig. 2, step 100-108 representative is by the performed step of SNMPv3 agency, and step 200-208 representative is by the performed step of manager.When cable modem initialization/when powering up, the special-purpose software that is loaded into cable modem is created the SNMPv3 user of " docsisInit " who is called as level of security noAuthnoPriv and is produced suitable USM and VACM item (entries) (step 100) by the SNMP agency.This initial validated user (the tceDCM105KickstartMyPuhlic MIB assembly of this modulator-demodulator is used with for example visiting by manager) has only the read access power to tceDCM105Kickstart group, set of systems and general trap (generic traps).Next, this agency produces a random number r 1, its length preferably reaches 128 bytes (step 101).Then, this agency uses the Diffie-Hellman agreement of knowing, with its random number r 1Change into this agency's public value p 1(step 102).More particularly, this agency's public value p 1 = g r 1 Mod p , wherein g is the truth of a matter (base) of Diffie-Hellman parameter set, p is that the former number (prime) of these parameters is interval 2 by this agency (l-1)≤ r 1The random integers of choosing among≤the p-1, wherein l is this secret random number r 1Be the length of unit with the position.Public value p 1Be expressed as the OCTET STRING (octet string) " PV " of length " k ", it satisfies
Figure C0081352700081
PV wherein 1..., PV kBe eight bit byte from first to last one PV, and PV 1=O.In addition, preferably use following Diffie-Hellman parameter (Oakley group 42, RFC 2409,6.1,6.2 joints):
g=2;
p=FFFFFFFF?FFFFFFFF?C90FDAA2?2168C234?C4C6628B?8ODCICDI
29024EO8?8A67CC74?02OBBEA6?3B139B22?514AO879?8E3404DD
EF9519B3?CD3A431B?302BOA6D?F25FI437?4FE1356D?6D51C245
E485B576?625E7EC6?F44C42E9?A637ED6B?OBFF5CBB6?F406B7ED
EE386BFB?5A899FA5?AE9F2411?7C4BIFE6?49286651?ECE65381
FFFFFFFF FFFFFFFF; With
l=64。
The agency announces its public value p in MIB assembly tceDCM105KickstartMyPublic 1(step 103).
During location registration process, the snmp management device produces its random number r 2, its length preferably reaches 128 bytes (step 200).Manager uses the Diffie-Hellman IKE then, resembles as the mode the agency and utilizes above-described such parameter, and its random number is transformed into public value P 2(step 201).
In the DOCSIS framework, as be known in the art, cable modem passes through for example to send DHCP (dynamic host configuration protocol to CMTS at period of registration, DHCP) request attempts setting up the network connection, connects needed IP address and other parameters to obtain setting up IP.CMTS comprises that with transmission the DHCP of the Name ﹠ Location (for example IP address of TFTP (trivial file transfer protocol, trivial file transfer protocol) server (such as the remote server among Fig. 1 15)) of the configuration file that cable modem for example can be visited replys.The SNMPv3 cable modem will use the information of DHCP in replying, and via TFTP, download suitable configuration file.
According to the present invention, manager in one of several modes with its public value P 2Be transferred to agency's (step 202) via configuration file (downloading) by modulator-demodulator.In demonstration type embodiment shown in Figure 2, this is realized by SNMP " Set " mib object in this configuration file (being DOCSIS standard configuration file component type 11), so that tceDCM105KickstartMgrPublic MIB assembly (at cable modem) is arranged to the public value P of this manager 2(step 10tceDCM105K4).Below introduction is used for public value P this manager 2Be transferred to other embodiment of cable modem.
When the agency determined tceDCM105KickstartMgrPublic to be arranged to the public value of this manager, this was acted on behalf of from random number r 1Public value P with this manager 2Calculate a shared secret SK (step 105) by the Diffie-Hellman IKE.More particularly, the SNMPv3 agency calculates the secret of being shared SK = P 2 r 1 Mod p , the former number of DH in the above-described preferred common parameter of p wherein.
Next, in a preferred embodiment, the SNMPv3 agency converts the secret SK that is shared to and maintains secrecy and authentication key according to following manner.At first, this agency the secret SK that is shared is transformed into 16 characters (or still less) preferably but read password (step 106).Best, this is to realize by abandoning the 16th eight bit byte any OCTET (eight bit byte) (in the SK string) in addition, then each remaining eight bit byte is carried out following processing:
A.if (octet (eight bit byte)>0x7F), then octet=octet B 0x80; // removing head position;
B.if (the octet=octet+0x40 of octet<0x20); // control routine remaps;
C.if (octet=0x7F) octet=octet-1; // delete character remaps.
But the processing procedure of this generation read password helps allowing the operator of NMS to enter password easily (with the octet string contrast of importing the secret of being shared).
The second, but should translate into 16 byte key K C (step 107) by read password.This step preferably utilize RFC 2574 " A User-based Security Model (USM) for version 3 of theSimple Network Management Protocol " appendix A the A.1 sections (2) the described algorithm that falls realize.More particularly, value by when needing, repeating this password, correspondingly brachymemma and utilize that to produce length as the input of giving MD5 algorithm (prior art is known) with the resultant string (resulting string) that produces summary (digest) (being called as " summary 1 ") be 1, the string of 048,576 eight bit byte.Then by with the snmpEngineID value of SNMP engine with make a summary and 1 couple together to form second string.This string is as the input to the MD5 algorithm.Should synthetic summary be 16 byte keys.
The SNMPv3 agency produces a SNMPv3 user (user who is supplied to (provisioneduser) then, here be called " docsisProv ", and produce and to have suitable USM and the VACM list item (below will introduce in detail) that the SNMPv3 table is carried out the level of security AuthPriv of read power, then preferably will (user's who is supplied to) privacy key and authentication key all be arranged to 16 byte key K C values (step 108).The agency can be used for 16 same byte key K C SNMPv3 table other users by this configuration file establishment.The location registration process process of the modulator-demodulator that just is through with like this.
When finishing registration, manager can be by reading OCTET STRING (agency's the public value P of a non-zero length from tceDCM105KickstartMyPublic MIB assembly 1) confirm that modulator-demodulator has entered SNMPv3 pattern (step 203).Manager will utilize initial user " docsisInit " (level of security noAuthNoPriv) to read this value by a SNMP " Get " order.Manager will use its random number r 2Public value P with this agency 1(being the tceDCM105KickstartMyPublic value) calculates the secret SK (by the Diffie-Heilman Diffie-Hellman) (step 204) that is shared.This is the same shared secret SK that is calculated by the agency.Next, manager from the secret SK that shares calculate be used for " docsisProv " but user's same read password (step 205), use then resemble act on behalf of usefulness, with the same processing procedure of above-mentioned steps 106-107, should become KC value (step 206) by readable password transforming.Manager will be about the user's that is supplied to discriminating and the value (step 207) that privacy key is arranged to KC then.Should be noted that the Diffie-Hellman cipher key change guarantees that agency and manager calculate same 16 character password and need not point out it.Be to be further noted that the fail safe of this method directly relates to the public value P of manager 2The intensity of authorizing secure of the outer supply of band.
This manager is created other SNMPv3 user'ss (step 208) by utilizing " docsisProv " user and changing SNMPv3 table (promptly visiting SNMP-USER-BASED-SM-MIB and SNMP-VIEW-BASED-ACM-MIB) about the discriminating and the secret password of AuthPriv level of security then.
Below be at the SNMPv3 USM of the docsis cable modulator-demodulator that is used for initialization SNMPv3 pattern and the demonstration type item of VACM table generation.More particularly, following demonstration type item (1-4a, b c) are preferably in when powering up, in DOCSIS SNMPv3 compatible modem the prepackage and initialization:
(1) this among the usmUserTable (usmUserEntry) allows access system and tceDCM105Kickstart group.After finishing registration, this allows the snmp management device to read the Diffie-Hellman public value (it is published in the tceDCMKickstartMyPublicMIB assembly by the agency) of modulator-demodulator:
usmUserEnginelD localEngineED
usmUserName ″docsisInit″
usmUserSecurityName ″docsisInit″
usmUserCloneFrom ZeroDotZero
UsmUserAuthProlocol does not have
usmUserAuthKeyChange “”
usmUserOwnAuthKeyChange “”
UsmUserPrivProtocol does not have
usmUserPrivKeyChange “”
usmUserOwnPrivKiyChange “”
usmUserPublic “”
UsmUserStorageType is permanent
UsmUserStatus is effective
(2) in vacmSecurityToGroupTable, produce an item (vacmSecurityToGroupEntry) so that initial user " ducsisInit " is mapped to the object (be the groupName of this generation about initial user " docsisInit ", it is used to define the access control policy of initial user) that is expected to visit:
vacmSecurityModel 3(USM)
vacmSecurityName ″docsisInit″
vacmGrompName ″docsisInit″
VacmSecurityToGroupStorageType is permanent
VacmSecurityToGroupStatus is effective
(3) item (vacmAccessEntry) that produces in vacmAccessTable is translated into the suitable title of watching (being that this has defined the access right of initial user " docsisInit ") with the groupName of initial user:
vacmGroupName ″docsisInit″
vacmAccessContextPrefix “”
vacmAccessSecurityModel 3(USM)
vacmAccessSecurityLevel noAuthNoPriv
vacmAccessContextMatch exact
vacmAccessReadViewName ″docsisInitRestricted″
vacmAccessWriteViewName “”
vacmAccessNotifyViewName ″docsisInitRestricted″
VacmAccessStorageType is permanent
VacmAccessSiatus is effective
Above-mentioned item in vacmAccessTable is used for without the visit of differentiating, promptly securityModelUSM is read announcement (read-notify) visit, represent the securitylevel " noAuthNoPriv " of securityName (being user " docsisInit "), wherein securityName belongs to group " docsisInit " and watches to " docsisInitRestricted " MIB in the default range with contextName " ".
(4) in vacmViewTreeFamilyTable, produce following three (vacmViewTreeFamilyEntry) so that allow initial term access system, beginning jump (kickstart) group and general trap suddenly:
(a)vacmViewTreeFamilyViewName ″docsisInitRestricted″
VacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
vacmViewTreeFamilyMask “”
VacmViewTreeFamilyType 1 (comprising)
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilyStatus is effective
(b)vacmViewTreeFamilyViewName ″docsisInitRestricted″
vacmViewTreeFamilySubtree (tceDCM105KickstartGroup)
vacmViewTreeFamilyMask “”
VacmViewTreeFamilyType 1 (comprising)
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilystatus is effective
(c)vacmViewTreeFamilyViewName″docsisInitRestricted″
vacmViewTreeFamilySubtree?1.3.6.1.6.3.1.1.5(snmpTraps)
vacmViewTreeFamilyMask “”
vacmViewTreeFamilyType 1
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilyStatus is effective
When finishing the Diffie-Hellman cipher key change, list under in the SNMPv3 compatible modem, creating (5-8a, b, c, d).
(5) it is related that the user who is supplied to who is created by the discriminating and the privacy key of the setting of DH cipher key change is listd and used to following among the usmUserTable.These are preferably under the situation of item supply at that time of the manager public value of modulator-demodulator by the modulator-demodulator value, create (step 202, Fig. 2 104) via configuration file explained above.Should be noted that userName " docsisProv " visits usmUserTable at least fully so that create additional validated user, and the most handy discriminating and the privacy key that is provided with by the DH cipher key change produces:
usmUserEngineID localEnginel]D
usmUserName ″docsisProv″
usmUserSecurityName ″docsisProv″
usmUserCloneFrom ZeroDotZero
usmUserAuthprotocol usmHMACMD5AuthProtocol
asmUserAuthKeyChange “”
usmUserOwnAuthKeyChange “”
usmUserPrivProtocol usmDESPrivProtocol
usmUserPrivKeyChange “”
usmUserOwnPrivKeyChange “”
usmUserPublic “”
UsmUserStorageType is permanent
UsmUserStatus is effective
(6) item below is mapped to accessible object with the user " docsisProv " who is supplied to:
vacmSecurityModel 3(USM)
vacmSecurityName ″docsisProv″
vacmGroupName ″docsisProv″
VacmSecurityToGroupStorageType is permanent
VacmSecurityToGroupStatus is effective
(7) item below translates the user's that is supplied to groupName to the user who watches title:
vacmGroupName ″docsisProv″
vacmaccessContextPrefix “”
vacmAccessSecuritvModel 3(USM)
vacmAccessSecurityLevel AuthPriv
VacmAccessContextMatch is accurate
vacmAccessReadViewName ″docsisProv″
vacmAccessWriteViewName ″docsisProv″
vacmAccessNotifyViewName ″docsisProv″
VacmaccessStorageType is permanent
VacmAccessStatus is effective
(8) following four items allow the user writable access system, tceDCM105Kickstart, usmMIBObjects and the vacmMIBObjects that are supplied to organize:
(a)vacmViewTreeFamilyViewName ″docsisProv″
VacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
vacmViewTreeFamilyMask “”
vacmViewTreeFamilyType 1
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilyStatus is effective
(b)vacmViewTreeFamilyViewName ″docsisProv″
vacmViewTreeFamilySubtree 1.6.3.1.6.3.15.1(usmMIBObjects)
vacmViewTreeFamilyMask “”
vacmViewTreeFamilyType 1
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilyStatus is effective
(c)vacmViewTreeFamilyViewName ″docsisProv″
vacmViewTreeFamilySubtree?1.6.3.1.6.3.16.1(vacmMIBObjects)
vacmViewTreeFamilymask “”
vacmViewTreeFamilyType 1
VacmViewTreeFamilystorageType is permanent
VacmViewTreeFamilyStatus is effective
(4)vacmViewTreeFamilyViewName ″docsisProv″
vacmviewTreeFamilySubtree(tceDCM105KickstartGroup)
vacmViewTreeFamilyMask “”
vacmViewTreeFamilyType 1
VacmViewTreeFamilyStorageType is permanent
VacmViewTreeFamilyStatus is effective
In alternative embodiment of the present invention, can use other method with the Diffie-Hellman public value incoming modem of manager and utilize special-purpose configuration file assembly (tceDCM105KickstartMgrPublic MIB assembly not being set discussed above) to put it into SNMPv3 pattern and do not use SNMP mib object (configuration file Class1 1) to resemble.These special-purpose assemblies are specifically designed to the modulator-demodulator of the SNMPv3 compatibility in a kind of like this SNMP network of initialization, in described SNMP network, only can not handle the SNMPv1/v2c modulator-demodulator that comprises the SNMP collection of tceDCM105KickstartMgrPublic assembly, and finally make the SNMPv1/v2c modulator-demodulator refuse this configuration file.For example, can use following configuration file assembly:
(1) iceKickStartMgrPublic (assembly 180)-this assembly comprises that the public value with manager is equivalent to the octet string of 128 bytes; With
(2) tceKickStartMgrPublic2 (assembly 181)-this configuration file also comprises the manager public value.But except modulator-demodulator being placed the SNMPv3 pattern respective items that it also can allow this modulator-demodulator that the content translation of docsDevNmAccessTable (being used for being controlled at the visit of SNMPv1/v2c) is given SNMPv3 user, group, visited and watch table.More particularly, among the docsDevNmAccessTable each, to be arranged to shared string and to need the userName of the visit list item of noAuthNoPriv level of security to create the user and watch.In addition, in SNMPv3NOTIFICATION-MIB, make so that any trap receiver that makes trap to be sent in thedocsDevNmAccessTable, to design.Utilize this configuration file assembly (181), modulator-demodulator will be placed in the SNMPv3 pattern and still can be conducted interviews by the SNMPv2 manager.The details of this configuration file assembly is submitted to therewith in the lump with relevant translation processing procedure, the lawyer puts on record (Attorney Docket) number for please " System andMethod For Simple Network Management Protocol (SNMP) v3 Modems toInteroperate with SNMPv1/v2c Modems " being described in the PCT patent of RCA 89827.
At another embodiment, the public value P of agency and manager 1And P 2Can use DHCP to exchange.For example, the agency can be during initialization process (as mentioned above) be transferred in the DHCP request of CMTS and comprise its public value, and the public value of manager can be given cable modem with relevant DHCP acknowledgement transmissions.Especially, the DHCP personal module tceDHCPKickstartMgrPublic (182) that follows can be included in during DHCP replys.

Claims (5)

1. method that is used for initialization Simple Network Management Protocol v3 equipment, wherein simple network management protocol management device in Simple Network Management Protocol v3 equipment and snmp agent utilize the Diffie-Hellman IKE with initial key and initial authentication key input Simple Network Management Protocol v3 equipment, wherein the simple network management protocol management device all utilizes described Diffie-Hellman agreement to produce a relevant random number and public value with snmp agent, wherein the simple network management protocol management device is delivered to snmp agent in configuration file with its public value, wherein the simple network management protocol management device uses and to have the initial validated user that the public value to snmp agent conducts interviews, read the public value of snmp agent by the Simple Network Management Protocol request, and wherein snmp agent and simple network management protocol management device use the Diffie-Hellman IKE to calculate a shared secret, and this method feature is to comprise step:
But convert this secret of sharing to a read password;
But should convert a privacy key to by read password; And
Initial authentication key and initial privacy key all are arranged to the value of this privacy key.
2. method as claimed in claim 1, but wherein should read password comprise the password of one 16 character, but and the secret that is used for the sharing step that converts read password to comprise:
In the secret string of sharing, abandon the 16th eight bit byte any eight bit byte in addition;
Then each remaining eight bit byte is carried out following processing:
If a. (octet>0x7F), octet=octet B 0x80 so;
If (the octet=octet+0x40 of octet<0x20) b.;
If (octet=0x7F) octet=octet-1 c..
3. method as claimed in claim 1, wherein this privacy key comprises one 16 byte serial, but and the step that is used for read password is converted to privacy key utilize the algorithm of Simple Network Management Protocol v3 to carry out based on described in user's the security model.
4. method as claimed in claim 1 is characterized in that this configuration file comprises that the public value with the simple network management protocol management device passes to the special configuration file assembly of snmp agent.
5. method as claimed in claim 4, wherein this Simple Network Management Protocol v3 equipment operation is in comprising network Simple Network Management Protocol v2c equipment, that Simple Network Management Protocol v1/v2c starts, and wherein this special configuration file assembly is ignored by Simple Network Management Protocol v2c equipment.
CNB008135274A 1999-09-28 2000-09-22 System and method for intializing simple network management protocol (SNMP) agent Expired - Lifetime CN1213582C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15638599P 1999-09-28 1999-09-28
US60/156,385 1999-09-28

Publications (2)

Publication Number Publication Date
CN1385020A CN1385020A (en) 2002-12-11
CN1213582C true CN1213582C (en) 2005-08-03

Family

ID=22559355

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB008135274A Expired - Lifetime CN1213582C (en) 1999-09-28 2000-09-22 System and method for intializing simple network management protocol (SNMP) agent

Country Status (8)

Country Link
EP (1) EP1216562B1 (en)
JP (1) JP2003510965A (en)
KR (1) KR100654741B1 (en)
CN (1) CN1213582C (en)
AU (1) AU4025901A (en)
CA (1) CA2385057A1 (en)
DE (1) DE60026721T2 (en)
WO (1) WO2001024444A2 (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240191B2 (en) 2002-02-01 2007-07-03 Hewlett-Packard Development Company, L.P. Method and apparatus for initializing security information on a network device
CN100373845C (en) * 2002-05-02 2008-03-05 中兴通讯股份有限公司 Method of authenticating and authorizing terminal in conversation initiating protocol network
US20030212889A1 (en) * 2002-05-13 2003-11-13 Khieu Andrew K. Method and system for exchanging data over networks using public key encryption
FI113924B (en) * 2002-09-06 2004-06-30 Tellabs Oy Procedure, arrangement and apparatus for demonstrating the authenticity of data traffic
US7284127B2 (en) * 2002-10-24 2007-10-16 Telefonktiebolaget Lm Ericsson (Publ) Secure communications
JP2004234390A (en) * 2003-01-30 2004-08-19 Fujitsu Ltd Information management method, information management system, central device, terminal device and computer program
US20060253577A1 (en) * 2003-05-29 2006-11-09 Luca Castaldelli Method, system and computer program for the secured management of network devices
US8019989B2 (en) 2003-06-06 2011-09-13 Hewlett-Packard Development Company, L.P. Public-key infrastructure in network management
CN100337431C (en) * 2003-10-22 2007-09-12 华为技术有限公司 Development method of management agent for supporting simple network management protocol
KR100606025B1 (en) 2004-11-18 2006-07-28 삼성전자주식회사 Network management apparatus and method based on simple network management protocol
US7877469B2 (en) 2006-02-01 2011-01-25 Samsung Electronics Co., Ltd. Authentication and authorization for simple network management protocol (SNMP)
CN101047493A (en) * 2006-06-02 2007-10-03 华为技术有限公司 Method and system for acquiring simple network management protocol management key
CN100426753C (en) * 2006-07-24 2008-10-15 Ut斯达康通讯有限公司 Network managing method based on SNMP
US8195944B2 (en) 2007-01-04 2012-06-05 Motorola Solutions, Inc. Automated method for securely establishing simple network management protocol version 3 (SNMPv3) authentication and privacy keys
JP5169082B2 (en) * 2007-09-04 2013-03-27 株式会社リコー Information processing apparatus, device information communication program, and information processing apparatus management system
JP4974848B2 (en) * 2007-10-30 2012-07-11 キヤノン株式会社 Network management device, network management method, and program for executing network management method
TWI411960B (en) * 2009-11-12 2013-10-11 Novatek Microelectronics Corp Method and device for initializing electronic device
CN102098573A (en) * 2010-12-14 2011-06-15 中山大学 Set top box (STB) test method and system based on simple network management protocol (SNMP)
KR102328896B1 (en) * 2020-11-10 2021-11-22 주식회사 아톰릭스랩 Crypto Key distribution and recovery method for 3rd party managed system
KR102329580B1 (en) * 2020-11-10 2021-11-23 주식회사 아톰릭스랩 Crypto Key distribution and recovery method for multiple 3rd parties managed systems

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU4026001A (en) * 1999-09-28 2001-04-30 Thomson Licensing S.A. System and method for simple network management protocol (snmp) v3 modems to interoperate with snmpv1/v2c modems

Also Published As

Publication number Publication date
JP2003510965A (en) 2003-03-18
EP1216562A2 (en) 2002-06-26
WO2001024444A3 (en) 2001-11-08
KR20020035646A (en) 2002-05-13
DE60026721T2 (en) 2006-08-24
AU4025901A (en) 2001-04-30
CA2385057A1 (en) 2001-04-05
EP1216562B1 (en) 2006-03-15
CN1385020A (en) 2002-12-11
WO2001024444A2 (en) 2001-04-05
DE60026721D1 (en) 2006-05-11
KR100654741B1 (en) 2006-12-07

Similar Documents

Publication Publication Date Title
CN1213582C (en) System and method for intializing simple network management protocol (SNMP) agent
CN1756234A (en) Server, VPN client, VPN system, and software
CN1574738A (en) Method of distributing encryption keys in mobile ad hoc network and network device using the same
CN1293720C (en) Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices
CN1949765A (en) Method and system for obtaining SSH host computer public key of device being managed
CN1685689A (en) Apparatuses, method and computer software products for controlling a home terminal
CN101061665A (en) Method for transmitting content in home network using user-binding
CN1719795A (en) Device and process for wireless local area network association and related products
CN1805333A (en) Data security in wireless network system
CN101065940A (en) Relay device, relay method, and program
CN1783887A (en) Method and apparatus for performing a secure transaction in a trusted network
CN1602018A (en) Communication apparatus and method
CN1881964A (en) Home gateway device, access control system for home network
CN1992585A (en) Method and apparatus for secure communication between user facility and internal network
CN1638345A (en) Configuring network settings of thin client devices using portable storage media
CN1805332A (en) Security group management system
CN1575579A (en) Selecting a security format conversion for wired and wireless devices
CN1638344A (en) Configuring of ad hoc wireless network devices using a portable media device
CN1553741A (en) Method and system for providing user network roam
CN1767438A (en) System and method for verifying digital signatures on certificates
CN1750508A (en) Packet forwarding apparatus and access network system
CN1691603A (en) A method for implementing equipment group and intercommunication between grouped equipments
CN1625275A (en) Address acquisition
CN1538777A (en) Mobile teminal, its informaton managing method and computer program for information managment
CN101043361A (en) Method and system for SNMP protocol based network management

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: I Si Eli Murli Nor, France

Patentee after: THOMSON LICENSING

Address before: French Boulogne

Patentee before: THOMSON LICENSING

CP02 Change in the address of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20190529

Address after: Paris France

Patentee after: Interactive digital CE patent holding Co.

Address before: I Si Eli Murli Nor, France

Patentee before: THOMSON LICENSING

TR01 Transfer of patent right
CX01 Expiry of patent term

Granted publication date: 20050803

CX01 Expiry of patent term